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statement of Katie Moussouris for the hearing entitled, "Data Security and Bug Bounty Programs: 
Lessons Learned from the Uber Breach and Security Researchers" for the Senate Committee on 
Commerce, Science, and Transportation's Subcommittee on Consumer Protection, Product Safety, 
Insurance, and Data Security^ on Tuesday, February 6, 2018 

Chairman Moran, Ranking Member Blumenthal, and distinguished members of the Committee, thank 
you for the opportunity to testify at this hearing on behalf of Luta Security and the security research 
community. 

We commend the Committee for holding this open hearing to help understand, clarify, and differentiate 
between defensive security research and vulnerability disclosure activities, which may or may not 
include bug bounties, versus Internet-enabled crimes, which may include extortion for unauthorized 
access to consumer data. 

I am the founder and CEO of Luta Security, working with governments and complex organizations on 
multi-party supply chain vulnerability coordination to create mature, robust, sustainable vulnerability 
coordination and disclosure programs. We base these programs on the industry international standards 
ISO/IEC 29147 Vulnerability disclosure^, ISO/IEC 30111 Vulnerability handling processes^ and our 
Vulnerability Coordination Maturity Model. 

I am the co-author & co-editor of these international standards, was co-chair of the NTIA's multi¬ 
stakeholder vulnerability disclosure working group subcommittee of multi-party vulnerability 
coordination'*, with over 20 years of professional technical and strategic work in technology and 
information security, as a former penetration tester at (5)stake^, to creating Microsoft Vulnerability 
Research, the first Microsoft bug bounties, and advising the US Department of Defense for years, 
resulting in the launch of the Hack-the-Pentagon program. I am also one of two private industry official 
delegates of the US technical experts working group to renegotiate the Wassenaar Arrangement®, 
successfully helping clarify exemptions for vulnerability disclosure and incident response in export 
controls.** I served as an expert witness for European Parliament's consideration of dual-use export 
control reform in the context of vulnerability disclosure and bug bounty programs.® 


^ https://www.commerce.senate.gov/public/index.cfm/2018/2/data-securitv-and-bug-bountv-programs-lessons- 

learned-from-the-uber-breach-and-security-researchers 

^ http://standards.iso.org/ittf/PubliclvAvailableStandards/c045170 ISO lEC 29147 

® https://www.iso.org/standard/53231.html 

** https://www.first.org/global/sigs/vulnerabilitv-coordination/multipartv/FIRST-Multipartv-Vulnerabilitv- 

Coordination-draft.pdf 
® https://en.wikipedia.org/wiki/(Sstake 

® https://langevin.house.gov/press-release/langevin-statement-wassenaar-arrangement-plenarv-session 

** http://thehill.com/opinion/cvbersecuritv/365352-serious-progress-made-on-the-wassenaar-arrangement-for- 

global 

® https://www.youtube.com/watch?v=kDJxAm-AVNA&feature=voutu.be 
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Today, I'm here as a witness to talk about the defense market for bugs, the role of bug bounties and 
other security research, and the role of the defensive ecosystem to shape these new markets. 

When I was a teen learning to hack in the late '80s, there was no broadly-recognized and accessible 
defensive market for hacking skills, no online banks or e-commerce sites to hire us to test their Internet¬ 
facing systems for holes, no bug bounty programs, and even the United States government had only a 
few years earlier become aware of threats to national security across the burgeoning early Internet - 
through Hollywood films such as War Games. 

This awareness of the power of hackers had prompted not job offers or viable legal career paths, but 
legislation that made hacking a criminal offense.® This law not only gave prosecutors the necessary legal 
tools to go after nation state actors and criminals, but to this day has caused a chilling effect on security 
research for defensive purposes. This chilling effect on researchers has also been reflected in the 
reluctance of governments and organizations to engage with hackers, further complicated by recent 
data breaches under the mis-applied term "bug bounty". 

Only in the past 5 to 8 years have we seen any major acceptance by governments and companies 
working cooperatively and openly with hackers. However, there is still a great fear among many 
organizations that opening a front door for hackers to report security holes will cause damage from 
disruption of operations, intellectual property theft, fraud, reputational damage, and data breaches. 

In 2015, 94% of the Forbes Global 2000 had no published way to report a security hole to them. If you 
saw something, it was difficult to say something. It was even a risk to your freedom, if the organization 
chose to pursue legal action against you under the Computer Fraud and Abuse Act (CFAA). 

While the CFAA hasn't materially changed over the past 34 years to grant security researchers safe 
harbor for helping to point out security bugs, in July of 2017, the Department of Justice issued "A 
Framework for a Vulnerability Disclosure Program for Online Systems."“This guide is meant as a way to 
help organizations think through important scoping issues around protected classes of data and systems 
when creating vulnerability disclosure programs, with or without cash incentives or bug bounties. 

The main premises to help create robust vulnerability disclosure or bug bounty programs are 
straightforward in the DoJ framework, with a summary of the key aspects as follows: 

1. Decide whether sensitive systems and data are in scope for discovery and reporting by external 
helpful hackers. 

2. Encourage the use of test accounts whenever possible to avoid the unnecessary compromise of 
other users' privacy and data without their permission. 

3. Make it clear that only the minimum necessary proof is required to prove that a vulnerability 
exists, and that no further access or exploitation past that point is authorized. 


® https://www.nvtimes.com/2016/02/21/movies/wargames-and-cvbersecuritvs-debt-to-a-hollvwood-hack.html 

https://www.iustice.gov/criminal-ccips/page/file/983996/download 
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4. Further define how any deliberately or accidentally accessed private data should be stored and 
transmitted. 

5. Specify the manner in which proof of the hack is conveyed, perhaps using a screen capture to 
avoid further transmitting the protected data. 

6. Decide whether to include the requirement to destroy any copies of data once the report is 
delivered. 

To protect both well-intentioned researchers from ambiguity and accidental overstepping the intended 
scope, as well as to protect consumers whose data may be subject to access, transmission, and storage 
without their consent, it is important to define these parameters as clearly as possible. This applies in 
vulnerability disclosure programs as well as bug bounties. 

Finally, as a creator and advisor of some of the major new bug bounty programs in the past several 
years, I want to point out that the ecosystem for rewarding bug hunting is skewing the markets toward 
more bug hunters, but not necessarily more bug fixers. This imbalance that is being created in these 
markets may very well shift the ecosystem towards rewarding more data theft than bug hunting. 

There is a difference between paying $10,000 for a bug and paying $100,000 for a breach. If the legal 
market for bugs becomes muddied with extortion payments that are exponentially higher, we will be 
building the wrong kind of market, and consumers will be the victims instead of the beneficiaries of 
enhanced work with hackers. 

Already, we are facing a global shortage of talent in cyber security, and while more legal ways to report 
bugs is good, the creation of an overall defense workforce is necessary, in the United States and 
worldwide. 

"In 2017, the U.S. employs nearly 780,000 people in cybersecurity positions, with approximately 350,000 
current cybersecurity openings..." 

""With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat 
surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good 
guys. One way to close the gap is through automation, but we also need to train developers, at the very 
earliest stage of their education, to bake security into all new code. It's not good enough to tack 
cybersecurity on as an afterthought anymore. This is especially true as more smart devices become 
Internet accessible and therefore potential avenues for threats." 

According to a 2016 study, "none of the top 10 U.S. computer science programs required a cybersecurity 
course for graduation, and 3 of the top 10 university programs don't even offer an elective course in 
cybersecurity." 


https://www.cloudpassage.com/companv/press-releases/cloudpassage-studv-finds-u-s-universities-failing- 

cybersecurity-education/ 
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Much like in Star Wars, The Force for finding vulnerabilities has a dark side as well as a light side, but 
they are two sides of the same coin, representing indistinguishable skill sets. We are creating more of an 
imbalance in The Force, weighted against defenders. 

As a visiting scholar with MIT Sloan School helping to study the vulnerability economy and exploit 
markets, I helped clarify the differences in the offense and defense markets for bugs. The offense 
market is characterized by nation states and criminals buying bugs and exploits at high prices to keep 
them from being fixed as long as possible to prolong their use in attacks. 

The defense market is typically paying lower amounts than the offense market, but doesn't traditionally 
require the bug hunter to stay silent about their find, once it is fixed, providing the finder with 
recognition and further opportunities for their career in other ways. 

The defense market for bugs cannot compete directly with the offense market on price. 

Very quickly, we would run out of willing software developers and testers, and the markets are already 
taking that direction in the way that bug bounties are being used today. Bug bounty hunters worldwide 
are on average able to make more than being a software developer in many countries. Perverse 
incentives include overpaying for bugs on the defense market, as well as the rewarding of data theft 
with much higher prices than an honest bug hunter would get for adhering to the rules. 

The entire defensive bug hunting ecosystem has a responsibility to help uphold the law & guide the 
creation of programs that will not breach ethical or legal standards. We have a responsibility to the 
current and next generation of hackers to demonstrate best practices in bug bounties as well as the 
broader vulnerability disclosure picture. 

"Focusing on the labor market opens new productive avenues for conversation and future research: It 
suggests linkages between research on vulnerability markets and a larger body of work rooted in the 
tradition of economic sociology. These efforts consider markets not only 

or, at times, not even primarily—as engines of efficient resource allocation, but move to address 
pressing descriptive questions related to the contingent 
and historical specificity of the construction of markets. 

Markets are not inevitable. They are always actively created. 

If Congress were to act to help clarify the role of defensive security research, and encourage the growth 
of the defense market for bugs, as well as the United States labor workforce in cybersecuritydefender 
roles, I would ask that: 


Ryan Ellis, Keman Fluang, Michael Siegel, Katie Moussouris, and Janies Houghton. "Fixing a Hole: The Labor 
Market for Bugs." New Solutions for Cybersecurity. Howard Shrobe, David L. Shrier, and Alex Pentland, eds. 
Cambridge: MIT Press. In Press. ISBN: 9780262535373 https://mitpress.mit.edu/books/new-solutions- 
cybersecurity 
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1. Funding for increased education in security be set for all grades (K-12), to begin finding early 
security talent and recruiting for defense 

2. Setting forth requirements that all college majors in computer science understand secure coding 
and organizational cyber risk management 

3. Fewer "Flack the x" bills be introduced without proper assessment of sustainable defensive 
capabilities in each government agency considering launching a bug bounty. 

Again, I'd like to thank you for the opportunity of testifying today. I welcome your questions and 
comments. 


